Last week when Michael Lynn exposed Cisco IOS router vulnerabilities at the Black Hat conference and was subsequently silenced by court order, it seemed that the Internet might be doomed.
But, all is not lost. It seems that while Lynn’s disclosures may not have been in Cisco’s interests, those vulnerabilities are nothing new to hackers and security experts.
In other words, don’t expect to see the Internet come crashing down because of Michael Lynn.
“He omitted any detail that would help someone do harm,” said Herbert Thompson, director of Security Technology and Research at Security Innovation, a independent provider of application security services. “Had it not been for the reaction of the vendors, then it would have certainly been less of a public event.”
This isn’t to say that Lynn’s talk didn’t embolden some in the hacker community to go after Cisco routers with renewed vigor, said Webroot Software’s Richard Stiennon, vice president of Threat Research. But all the fervor around Lynn’s disclosures is a bit of mountain building.
If the Internet’s security structure could be rated on a scale from one to 100, Stiennon said it would rate a 20 before Lynn’s talk. After? Possibly a 15.
“It’s doesn’t make it more likely but it does make it easier,” he said.
There are many other vulnerable aspects to the Internet that are well-known and equally, if not more, exploitable, said Stiennon.
The real lesson to take away from Lynn’s talk is CIOs need to be aware that more than just OSs and applications need to be patched and updated from time to time, said IDC’s Program Manager for Enterprise Networking, Abner Germanow.
“If you’re skilled enough to take the Internet down then chances are you’ve spent a lot of time hacking IOS (Cisco’s router OS),” said Germanow. “So, if that’s your end goal, chances are there wasn’t a whole lot news in Lynn’s talk.”
Germanow suggests using the hype around Lynn’s talk to prioritize the inventory of all your network routers, see which ones are from Cisco and then see if they are patched or running the latest version of IOS, which, as of April, has been cleared of the vulnerability Lynn described.
If the router can’t be updated, then replace it, he said.
“I think the Lynn situation has drawn attention to the fact that we need to look beyond patch deployment on the platform and also look at patch deployment on devices and other systems,” agreed Thompson. “You need to think broadly when applying patches.”
Since most IT departments have disaster recovery plans in place for things like a flooded data center, Stiennon suggests CIOs take a cue from Lynn and expand those plans to include an Internet outage. How will you connect to off-site employs with no email? How will your Internet-dependant business processes have to re-routed to keep the organization running? … things like that.
“Most CIOs of large organizations have figured out what to do if they’re data center is flooded but what do you do if the connection that ties all your data centers (together) is not there?,” Stiennon asked.
So, the sky is not going to fall because of Michael Lynn, but Cisco’s routers may get some unwanted attention in the coming year because of all the media attention given to situation, said Germanow. And this may lead to some new headaches for IT mangers with unpatched networks.
“Generally, in the security world, when something becomes news you can assume that at least some people have known about it for about two years,” Germanow. “So, when its news it’s not really news.”